Browse code

Remove combination.py as it is useless now. Add analysis spreadsheet Add written analysis of the issue (article)

Puskás Zoltán authored on 02/05/2012 22:38:55
Showing 3 changed files

1 1
new file mode 100644
2 2
Binary files /dev/null and b/doc/analysis.ods differ
3 3
new file mode 100644
... ...
@@ -0,0 +1,80 @@
1
+The security of the Android unlock pattern lock screen
2
+
3
+Android phones are more just then phones, they are portable mini computers.
4
+They not only serve us to make calls but people also check email, Facebook,
5
+access messenger services, browse the internet and do many more on these 
6
+devices. As a result they contain a lot of private and/or business information
7
+that must be protected from prying eyes (or at least highly recommended). For
8
+this reason the security of the locking mechanism of the phone has more
9
+importance then before.
10
+
11
+On Android smart phones there several options to lock the phone. Slide, pattern,
12
+pin and password. The slide option offers no security, it only prevents
13
+accidental actions on the phone just like the simple key combination on the old 
14
+phones. The pattern unlock screen contains 9 dots in a 3x3 matrix. In order to 
15
+unlock the phone some dots have to be connected in a certain order. This is a 
16
+new, previously unused method and protects the phone from unauthorized access.
17
+Pin code is a number combination while the password is alphanumerical 
18
+combination that has to be entered into the phone in order to unlock it. These
19
+also protect the phone from unauthorized access.
20
+
21
+The math for the PIN/password security methods is well known, but except for one 
22
+site (that has incorrect and incomplete calculations) I could not find anything 
23
+meaningful on pattern security. Since in my experience people use either 
24
+the slide or the pattern (including myself) to lock the phone and maybe pin,
25
+I wanted to know actually how secure my data is. I will not take into 
26
+consideration the password unlock here since it is too impractical for everyday 
27
+use.
28
+
29
+The Android unlock pattern.
30
+
31
+The Android unlock pattern has 9 dots on the screen organized in a 3x3 matrix.
32
+To unlock the phone a so called pattern has to be drawn on the screen, which
33
+means connecting certain points in a certain order. So how many valid patterns
34
+are there? For this lets first observe the rules of pattern drawing:
35
+- at minimum 4 dots have to be used
36
+- at maximum 9 dots can be used
37
+- one dot can be used only once
38
+- the order in which the dots are connected matters
39
+- dots are connected with a straight line (all points on the path of the
40
+  line get connected)
41
+
42
+The last rule introduces some conditional connection paths. When connecting two
43
+points with a straight line it is valid only if there is no unused
44
+point in the way. For example: you cannot connect points 1 and 3 unless point
45
+2 is already is used. So by default drawing a line from 1 to 3 will result in
46
+the pattern 1->2->3. However if point 2 is used the transition 1->3 becomes
47
+valid, such as in 2->1->3.
48
+
49
+Also what some people seem to omit is that connecting points in a slight
50
+diagonal is possible (especially on Android 4, since the dots became smaller)
51
+such as 2->7.
52
+
53
+Pattern security analysis (compared with PIN)
54
+
55
+To find out what and how many patterns there are I have written a small
56
+program. It also can be used to generate random patterns for you to use on
57
+your device (the same way pwgen is used for password generation for computers).
58
+
59
+Let us compare the security of the pattern unlock to the old school PIN code.
60
+For that lets see the raw data:
61
+
62
+[Look at spreadsheet data]
63
+
64
+As you can see for a given number of dots there are much fewer combinations
65
+than for the same amount of numbers when used in a PIN code. However it is 
66
+compensated for by limiting the speed and amount of tries. The phone allows
67
+5 tries before suspending the lock screen for 30 seconds (both PIN and pattern). 
68
+The limit for pattern tries is set to 20 before it locks the user out completely
69
+and asks for the Google account and password. For PIN I don't see any limits or
70
+at least it is set to a high value (after 50 wrong codes I'm still not locked 
71
+out).
72
+
73
+The table above shows that by using patterns that are at least five dots long
74
+the random brute force success rate is well below 1%. Not taking into account
75
+other factors (e.g. smudge on the screen, frequently used patterns & numbers),
76
+we can say that the 5 dot long pattern is similar in strength to a 4 digit PIN
77
+combination and a 7 dot long pattern is similar in strength to a 5 digit PIN
78
+combination. However a 6 digit PIN is already more secure then all the
79
+patterns combined together.
80
+
0 81
deleted file mode 100755
... ...
@@ -1,32 +0,0 @@
1
-#!/usr/bin/python
2
-#
3
-# Android unlock pattern combinations script
4
-# Copyright (c) 2012 Zoltan Puskas
5
-# All rights reserved.
6
-#
7
-# This program is free software and redistributred under the 3-clause BSD
8
-# license. For details see attached license file COPYING
9
-#
10
-# Maintainer: Zoltan Puskas <zoltan@sinustrom.info>
11
-# Created on: 2012.02.03.
12
-#
13
-
14
-import os
15
-
16
-# conbination generator function
17
-def combination_iter(elements, length):
18
-    for i in xrange(len(elements)):
19
-        if length == 1:
20
-            yield (elements[i],)
21
-        else:
22
-            for next in combination_iter(elements[i+1:len(elements)], length-1):
23
-                yield (elements[i],) + next
24
-
25
-# function get combinations for a set of elements				
26
-def combination(l, k):
27
-    return list(combination_iter(l, k))
28
-
29
-# for all valid ranges of points calculate dot choices
30
-for num in range(4, 10):
31
-	print "If choosing %i dots out of 9 the number of different choices is %i " % (num, len(combination(range(1, 10), num)))
32
-